Solved: Is a certificate absolutely necessary when installing ISE?

김선명 · ‎05-08-2024

Hi~

I am studying ISE. I'm going to try installing it first.

I understand that there are three essential elements: NTP, DHCP, and certificate. Is this correct?

(Certificate means "selfsigned certificate" or "certificate issued by CA")

Arne Bier · ‎05-08-2024

Hello

Depends how serious your lab setup is. During install you should have ready:

hostname
DNS domain name (whatever works for you - this domain name is appended to the hostname to make the FQDN - this is then used to make the ISE node System Self-Signed Certificates)
IPv4 address and subnet mask
IPv4 default Gateway
NTP server

You should have a working DNS server and add your ISE hostname to the DNS - A record and PTR record.

Every ISE node must have a System Admin certificate - this is how you access the GUI. And then you can have EAP cert and Guest/BYOD Web Portal Certs (optional if you are building portals). Using a self-signed Admin cert is ok for lab. But not so wise for production, because your web browsers that connect to ISE for admin purposes will always warn of an untrusted site.

View solution in original post

Arne Bier · ‎05-08-2024

You can configure time.google.com as your NTP in ISE, as long as you can resolve that FQDN. Which means, if you configure 8.8.8.8 in ISE as your DNS server, then that would work (assuming the ISE node can route to the internet). The problem you will find though, is that your ISE node's FQDN is most likely not going to have a DNS A/PTR record in the public DNS domain. Unless you have a public DNS domain that you can control? In that case, you can add your ISE DNS records in there. In most cases, ISE node FQDNs are kept in on-prem (intranet) DNS servers.

View solution in original post

Arne Bier · ‎05-08-2024

Hello

Depends how serious your lab setup is. During install you should have ready:

hostname
DNS domain name (whatever works for you - this domain name is appended to the hostname to make the FQDN - this is then used to make the ISE node System Self-Signed Certificates)
IPv4 address and subnet mask
IPv4 default Gateway
NTP server

You should have a working DNS server and add your ISE hostname to the DNS - A record and PTR record.

Every ISE node must have a System Admin certificate - this is how you access the GUI. And then you can have EAP cert and Guest/BYOD Web Portal Certs (optional if you are building portals). Using a self-signed Admin cert is ok for lab. But not so wise for production, because your web browsers that connect to ISE for admin purposes will always warn of an untrusted site.

김선명 · ‎05-08-2024

Hi @Arne Bier

Thank you for your help!

If DNS 8.8.8.8 and NTP time.google.com are set on the Cisco L3 switch, can I set NTP and DNS to the switch IP in ISE?

Arne Bier · ‎05-08-2024

You can configure time.google.com as your NTP in ISE, as long as you can resolve that FQDN. Which means, if you configure 8.8.8.8 in ISE as your DNS server, then that would work (assuming the ISE node can route to the internet). The problem you will find though, is that your ISE node's FQDN is most likely not going to have a DNS A/PTR record in the public DNS domain. Unless you have a public DNS domain that you can control? In that case, you can add your ISE DNS records in there. In most cases, ISE node FQDNs are kept in on-prem (intranet) DNS servers.

김선명 · ‎05-09-2024

Hi @Arne Bier

Thank you so much for your help!